Characteristics of Internet Background Radiation - UNC Computer ...
Characteristics of Internet Background Radiation - UNC Computer ...
Characteristics of Internet Background Radiation - UNC Computer ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
two short binary messages.<br />
"ftp://bla:bla@:/bot.exe 0"<br />
On the Class A network, however, we do not see a lot <strong>of</strong> port<br />
2745 activities. Interestingly, we see several source hosts that attempt<br />
to upload Windows executables. We also see many hosts that<br />
close the connection after exchange <strong>of</strong> an initial message.<br />
On port 4751, in some cases we see binary upload after echoing a<br />
header, similar to what happens on port 3721, but in most cases we<br />
receive a cryptic 24-byte message, and are unable to elicit further<br />
response by echoing.<br />
TCP Port 1981/4444/9996: (Exploit Follow-Ups): While worms<br />
such as CodeRed and Slammer are contained completely within the<br />
buffer-overrun payload, several <strong>of</strong> the other worms such as Blaster<br />
and Sasser infect victim hosts in two steps. First, the buffer-overrun<br />
payload carries only a piece <strong>of</strong> “shell code” that will listen on a<br />
particular port to accept further commands; Second, the source then<br />
instructs the shell code to download and execute a program from a<br />
remote host. For example, on port 4444, the follow-up port for the<br />
Blaster worm, we <strong>of</strong>ten see:<br />
tftp -i GET msblast.exe<br />
start msblast.exe<br />
msblast.exe<br />
Similarly, on port 1981 (Agobots) and 9996 (Sasser) we see sequences<br />
<strong>of</strong> shell commands to download and execute a bot.exe.<br />
In contrast, there is a different kind <strong>of</strong> shell code called “reverse<br />
shell” which does not listen on any particular port, but instead connects<br />
back to the source host (“phone home”). The port on the<br />
source host can be randomly chosen and is embedded in the shell<br />
code sent to the victim. The Welchia worm uses a reverse shell<br />
(though its random port selection is flawed). This makes it much<br />
harder to capture the contents <strong>of</strong> follow-up connections, because<br />
1) we will have to understand the shell code to find out the “phonehome”<br />
port; and 2) initiating connections from our honeypots violates<br />
the policy <strong>of</strong> the hosting networks.<br />
empty).<br />
UDP Port 53: We expected to see a lot <strong>of</strong> DNS requests, but instead,<br />
find sources sending us non-DNS (or malformed) packets as<br />
shown below:<br />
20:27:43.866952 172.147.151.249.domain > 128.3.x.x.domain: [udp sum ok]<br />
258 [b2&3=0x7] [16323a] [53638q] [9748n] [259au]<br />
Type26904 (Class 13568)? [|domain] (ttl 115, id 12429, len 58)<br />
0x0000 (...)<br />
0x0010 xxxx xxxx 0035 0035 0026 xxxx 0102 0007 ................<br />
0x0020 d186 3fc3 2614 0103 d862 6918 3500 d54c ..?.&....bi.5..L<br />
0x0030 8862 3500 cb1f ee02 3500 .b5.....5.<br />
We do not know what these packets are. These requests dominate<br />
UDP packets observed in the LBL and UW (I,II) networks.<br />
Table 8 provides a summary <strong>of</strong> the DNS activity observed in<br />
the Class A network during a 24 hour trace showing a more diverse<br />
activity. Much like the UW and LBL networks, sources sending<br />
malformed DNS requests dominate. However, in terms <strong>of</strong> packet<br />
counts other queries are substantial. We suspect these are possibly<br />
due to misconfigured DNS server IP addresses on hosts. These<br />
queries are sent to various destination IP addresses and originate<br />
from various networks. Hence it seems unlikely that these are a<br />
result <strong>of</strong> stale DNS entries.<br />
The biggest contributor in terms <strong>of</strong> volume are standard A<br />
queries that resolve IP address for domain names. The SOA packets<br />
are “Start <strong>of</strong> Authority” packets used to register domain authorities.<br />
We observed 45 sources (out <strong>of</strong> total 95) registering different domain<br />
authorities in BGC.net. Other queries include PTR queries<br />
(used for reverse DNS lookups), SRV records (used to specify locations<br />
<strong>of</strong> services) and AAAA queries (IPv6 name resolution).<br />
Type Num packets Num sources<br />
Malformed packets 5755 3616<br />
Standard (A) queries 10139 150<br />
Standard query (SOA) 4059 95<br />
Standard query (PTR) 1281 27<br />
DNS Standard query SRV packets 785 20<br />
DNS Standard query AAAA packets 55 16<br />
DNS Standard unused packets 739 3<br />
DNS Standard unknown packets 1485 3<br />
Table 8: Summary <strong>of</strong> DNS activity seen in the Class A (24<br />
hours)<br />
UDP Port 137: The activities are dominated by NetBIOS standard<br />
name queries (probes).<br />
UDP Port 1026, 1027 (Windows Messenger Pop-Up Spam):<br />
These appear as UDP packets with source port 53 and destination<br />
port 1026 (or 1027). While this port combination typically connotes<br />
a DNS reply, examination <strong>of</strong> packet contents reveal that they<br />
are in fact DCE/RPC requests that exploit a weakness in the Windows<br />
Messenger API to deliver spam messages to unpatched Windows<br />
desktops [40]. Figure 10 shows a trace <strong>of</strong> a typical packet.<br />
The source IP addresses <strong>of</strong> these packets are <strong>of</strong>ten spo<strong>of</strong>ed, as<br />
suggested by the observed ICMP host-unreach backscatter <strong>of</strong><br />
these attacks in the Class A. The choice <strong>of</strong> source port 53 is most<br />
likely to evade firewalls.<br />
05:23:16.964060 13.183.182.178.domain > xxx.xxx.xxx.xxx.1026: 1024 op5<br />
[4097q] 68/68/68 (Class 0) Type0[|domain] (DF)<br />
...<br />
0x0010 .... .... .... .... .... .... 0400 a880 ................<br />
0x0020 1001 000a 000a 000a 0000 0000 0000 0000 ................<br />
0x0030 0000 0000 f891 7b5a 00ff d011 a9b2 00c0 ......{Z........<br />
0x0040 4fb6 e6fc 4ba6 e851 f713 8030 a761 c319 O...K..Q...0.a..<br />
0x0050 13f0 e28c 0000 0000 0100 0000 0000 0000 ................<br />
0x0060 0000 ffff ffff 6400 0000 0000 0c00 0000 ......d.........<br />
0x0070 0000 0000 0c00 0000 5265 616c 2057 6f6d ........Real.Wom<br />
0x0080 656e 0000 0400 0000 0000 0000 0400 0000 en..............<br />
0x0090 596f 7500 3000 0000 0000 0000 3000 0000 You.0.......0...<br />
0x00a0 5741 4e54 2053 4558 3f0d 0a0d 0a46 494e WANT.SEX?....FIN<br />
0x00b0 4420 5553 2041 543a 0d0a 0d0a 0977 7777 D.US.AT:.....www<br />
0x00c0 2exx xxxx xxxx xxxx xx2e 4249 5a0d 0a00 .********.BIZ...<br />
Figure 10: Observed Windows Messenger Pop-Up Spam packets.<br />
UDP Port 1434: The Slammer worm is still alive and is the only<br />
background radiation we see on port 1434.<br />
TCP Port 1433: We have not yet built a detailed responder for<br />
MS-SQL. It appears that most source hosts are trying to log in with<br />
blank passwords.<br />
TCP Port 5000: We do not know enough about this port. The port<br />
is reserved for Universal Plug-and-Play on Windows Systems, but<br />
almost none <strong>of</strong> requests we see are valid HTTP requests. However,<br />
most requests contain a number <strong>of</strong> consecutive 0x90’s (NOP) and<br />
thus look like buffer-overrun exploits.<br />
All the ports we examine above exhibit a modal distribution at<br />
the application semantic level, i.e., they all contain one or a few<br />
dominant elements. The only exception is the DCE/RPC ports,<br />
on which we see some diversity, but in some sense, the various<br />
exploits on DCE/RPC ports have a single dominant element on a<br />
higher level — they target the same vulnerability. As the dominant<br />
elements are quite different from what we see in the normal traffic,<br />
this suggests that we will be able to filter out the majority <strong>of</strong><br />
background radiation traffic with a sound classification scheme at